MikroTik

Hi all, I have setup a site to site IPSEC VPN between 2 Mikrotik 750's and the VPN is coming up fine and I can ping the server at the opposite site ok.
Both ways ping works ok.
But if I try to browse to a computer on the other side I cannot, it appears that some traffic is not passing.
I am wondering if I need Netbios or something ?

Note: used to have 2 ciscos running the vpn and they worked ok so it is not a Windows DNS etc... sort of issue.

Try putting this in both ends to limit the data size of every packet, so it won't exceed MTU afther adding all IPSec headers, checksums, etc. Change 10.1.1.0/24 with the address range of the "branch" site

Try putting this in both ends to limit the data size of every packet, so it won't exceed MTU afther adding all IPSec headers, checksums, etc.

Code: Select all

/ip firewall mangle add chain=forward \
action=change-mss new-mss=1360 passthrough=yes
tcp-flags=syn protocol=tcp
src-address=10.1.1.0/24
dst-address=!10.1.1.0/24
tcp-mss=!0-1360

Change 10.1.1.0/24 with the address range of the "branch" site

Did that but it errors when I enter in the command with the following:
failure: tcp mss change works only on tcp syn packets

Write all in the same line...

Write all in the same line...

Code: Select all

/ip firewall mangle add chain=forward action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn protocol=tcp src-address=10.1.1.0/24 dst-address=!10.1.1.0/24 tcp-mss=!0-1360

I have now done that on both sides but it has made no difference.
I can still ping the other side ok and do dns lookups etc but not browse.
I should also mention that I am using the ip address eg: \\192.168.20.1 so it is not a dns type issue.

I would need a drawing of your network to try to help you and also the config of the routers.

I would need a drawing of your network to try to help you and also the config of the routers.

I will try and upload the two config files I got by doing an export.
I have changed the external addresses to 1.1.1.1 and 2.2.2.2
Basically it is just two networks, one with the external address of 1.1.1.1
The 2nd network has the external address of 2.2.2.2
The first network has the internal address range of 192.168.20.0/24
The 2nd network has the internal address range of 192.168.91.0/24

And where's the gateway to Internet? Is one of the mikrotik devices or a different router?

And where's the gateway to Internet? Is one of the mikrotik devices or a different router?

I am not sure I understand your question.
Both routers can access the internet ok.
They both use a pppoe connection to the isp
The addresses 1.1.1.1 and 2.2.2.2 are both just aliases so I don't post the real addresses.
Does this help ?

Sorry but, what you mean with "try to browse to a computer on the other side"?

\\localip.in.remotevpn.network\c$ ??

Windows net bios protocol is supported only at ethernet level, so you have to create an EOIP link inside the IPSEC and bidge it with the ethernet ports in both the mikrotik routers.

According with your router configuration my be necessary to enable packet fragmentation (by firewall>mangle) on the ipsec tunnel

With this solution you'll obtain a unique ethernet segment.

I hope this is your solution.

A.

I just don't agree with you, unless OP is using an ancient OS. Since Windows 2000 windows shares use SMB protocol over TCP and are completely IP routable. Older Windows used SMB over NetBIOS/NetBEUI, which is non-routable protocol.

You can read all the details here:

http://en.wikipedia.org/wiki/Server_Message_Block
http://en.wikipedia.org/wiki/NetBIOS_Frames_protocol

Windows net bios protocol is supported only at ethernet level, so you have to create an EOIP link inside the IPSEC and bidge it with the ethernet ports in both the mikrotik routers.